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Abstract. This paper describes the xSAP safety analysis platform. xSAP pro¬ 
vides several model-based safety analysis features for finite- and infinite-state 
synchronous transition systems. In particular, it supports library-based definition 
of fault modes, an automatic model extension facility, generation of safety anal¬ 
ysis artifacts such as Dynamic Fault Trees (DFTs) and Failure Mode and Effects 
Analysis (FMEA) tables. Moreover, it supports probabilistic evaluation of Fault 
Trees, failure propagation analysis using Timed Failure Propagation Graphs (TF- 
PGs), and Common Cause Analysis (CCA). xSAP has been used in several in¬ 
dustrial projects as verification back-end, and is currently being evaluated in a 
joint R&D Project involving FBK and The Boeing Company. 


1 Introduction 

In recent years, there has been a growing industrial interest in model-based safety as¬ 
sessment techniques (MBSA) [1,2,3,4,5] and their application. These methods are based 
on a single safety model of a system, and analyses are carried out with a high degree 
of automation, thus reducing the most tedious and error-prone activities that today are 
carried out manually. Formal verification tools based on model checking have been ex¬ 
tended to automate the generation of artifacts such as Fault Trees and FMEA tables, 
which are required for certification of safety critical systems - see, e.g.,[6,7,8]. 

xSAP is a platform for Model-Based Safety Analysis (MBSA), which provides 
a variety of features. First, it enables the definition of fault modes, based on a cus¬ 
tomizable fault library. Second, it implements automatic model extension, namely the 
possibility to automatically extend a system model with the fault definitions retrieved 
from the library. Third, it implements a full range of safety analyses, including Fault 
Tree Analysis (FTA), Failure Mode and Effects Analysis (FMEA), failure propagation 
analysis using Timed Failure Propagation Graphs (TFPGs), and Common Cause Anal¬ 
ysis (CCA). Finally, xS AP implements a family of effective routines for such analyses, 
based on state-of-the-art model checking techniques, including BDD-, SAT- and SMT- 
based techniques. 

xSAP is currently the core verification engine for many other tools, including in¬ 
dustrial ones. It has been used in several industrial projects, including COMPASS [9], 
AUTOGEF [10], FAME [ 11 ] and HASDEL [12], funded by the European Space Agency. 
Moreover, xSAP is currently being used in a joint research and development project 
between EBK and The Boeing Company [13]. 

xSAP is being developed by EBK, and it is currently distributed with a free li¬ 
cense for academic research purposes and non-commercial applications. xS AP can be 
downloaded from http : / /xsap . fbk . eu. 
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Fig. 1. The xS AP main flow. 


Related Work. The system closest to xSAP is the FSAP platform [14], which is no 
longer maintained. xS AP extends FSAP along several directions. First, FSAP was lim¬ 
ited to finite-state systems, while xSAP can handle inhnite-state ones. Second, xSAP 
provides more general and customizable libraries to dehne fault modes and their dy¬ 
namics and new features, e.g., models and algorithms for failure propagation analysis. 
Third, xSAP implements a family of advanced routines for safety analysis that ex¬ 
tend those of FSAP in many respects - namely, the BDD-based Fault Tree generation 
routines described in [15] are complemented by (different variants of) SAT-based and 
SMT-based routines, and routines based on IC3 [16,17]. Finally, while FSAP provides 
a graphical user interface, xSAP relies on an interaction shell similar to NUXmv, and 
models are expressed in textual format, thus increasing the flexibility and possibility of 
integration within other tools. 

Some of the safety assessment functions of xSAP are used as a back-end for the 
COMPASS tool [5,18] and its extensions [19,20]. There are two key differences with 
respect to the COMPASS tools. First, xS AP provides a wider range of routines for Fault 
Tree generation; second, xSAP implements a general model extension mechanism, 
based on a library dehning fault modes and their dynamics, while in COMPASS the 
fault models must be modeled manually and explicitly within the SLIM language. 

Other platforms for MBS A are based on the Altarica language and OCAS [2 1 ,22,23] , 
on Scade [24,25], and on Statemate [26,27]. None of them is publicly available. 

Finally, in [28] the authors present a framework for model based safety analysis, that 
provides transformations into different model checkers, including NuSMV, but does not 
provide specialized algorithms. 


Structure of the paper. In Sect. 2 and 3 we describe the functionalities and the architec¬ 
ture of xSAP. In Sect. 4 we briefly discuss its most successful applications. In Sect. 5 
we draw conclusions and outline future directions. 


2 Functionality 


In this section we describe the main features of xS AP. Fig. 1 illustrates the main flow. 
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P=3,00e-05 P=3,00e-05 P = 2,00e-05 P=2,00e-05 


function ptob = 

fault_probabi1ity( 
_PR0B_S20ff, 

_PR0B_G20ff, 

PROB GlOff, 

_PROB_SlOff) 

prob = (1 - _PR0B_S20ff) * 
(_PROB_GlOff * 
_PR0B_G20ff) + 
(_PROB_SlOff * 

(1 - _PR0B_G20ff) + 
((1 - _PR0B_S10ff) * 
_PROB_GlOff + 
_PR0B_S10ff) * 
_PR0B_G20ff) * 
_PR0B_S20ff; 


Fig. 2. An example FT and the associated symbolic probability. 


2.1 Model Extension 

Model extension [14,4] is an automated process that, based on a specification of the 
possible faults, returns a model (called extended model) that takes into account faulty 
behaviors. The model extension routine takes as input the nominal model (describing 
behavior in absence of faults), the fault library (containing templates for faults and their 
dynamics) and the fault extension instructions (specifying directives to instantiate the 
fault templates). Formal analyses can be run on the extended model, in order to assess 
system behavior in presence of faults. 

The fault library of xSAP contains a comprehensive set of predefined fault modes, 
including, e.g., different variants of stuck at, random, conditional, ramp down, and can 
be further customized for any specific need. Moreover, a local and global dynamics 
libraries enable the definition of the dynamics of faults (e.g., permanent or sporadic). 
The fault library has been validated and extended to match the need of a significant case 
study of industrial size [13]. 

2.2 Safety Analysis 

xS AP supports the automatic generation of artifacts that are typical of safety analy¬ 
sis, in particular Fault Trees and FMEA tables [29,6,7]. A Fault Tree (FT) is a graphical 
representation of the sets of possible causes of a given (undesired) event (the root of the 
tree - called Top Level Event, TLE). The TLE is linked by means of logical gates (AND, 
OR) to the basic events (faults). The minimal combinations of faults explaining the TLE 
are called Minimal Cut Sets (MCSs). Eig. 2 (left) shows a sample ET for a battery sensor 
model; the ET links the TLE (a system failure) with basic events (generator and sen¬ 
sor faults). Einally, xSAP can generate Dynamic Eault Trees (DETs) [30,31], where a 
priority AND gate is used to identify order of precedence of different events [32]. 

EMEA tables are a tabular representation of the causality relationships between (sets 
of) faults and a list of properties (representing undesired events, as in the case of ETs). 
xSAP also supports the generation of Dynamic EMEA tables, where order of events 
may be imposed. 
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2.3 Common Cause Analysis 

Common Cause Analysis (CCA) is a necessary step of safety assessment, that is 
often required by safety standards, see e.g., [6,7]. It consists in evaluating the conse¬ 
quences of events that may break the hypothesis of independence of different faults. 
CCA aims at investigating possible dependencies, and evaluates the consequences in 
terms of system safety/reliability. xSAP enables the definition of events named com¬ 
mon causes, which may trigger the occurrence of a set of (dependent) faults. Such 
faults may follow a user-specified pattern, e.g., simultaneous or cascading (subject to 
given temporal constraints). For instance, debris caused by an engine burst (the com¬ 
mon cause) may cause multiple components of an aircraft to fail simultaneously. xS AP 
enables the evaluation of system reliability in presence of common causes and the gen¬ 
eration of FTs including them. 

2.4 Probabilistic Evaluation 

xS AP supports the probabilistic evaluation of Fault Trees. Given numerical proba¬ 
bilities for the basic events and for the common causes, xS AP computes probabilities 
for the intermediate nodes and the TLE of a Fault Tree. With the exception of the con¬ 
stituent faults of common causes, all faults are assumed to be independent. 

Furthermore, xS AP supports the symbolic computation of the formula representing 
the probability of the TLE, given the probability of the basic events. Erom such formula, 
xS AP produces the code in Python and Matlab/Octave. This can be used to sample the 
reliability of a system for different values of the fault probabilities, and plotted using 
visualization tools (e.g., Matlab [33]). Pig. 2 shows the PT with associated numerical 
probabilities, and the symbolic formula representing the probability of the TLE. 

2.5 Failure Propagation Analysis 

xSAP supports analysis of failure propagation using Timed Pailure Propagation 
Graphs (TPPGs). A TPPG [34] is a graph-like model that accounts for the temporal 
progression of failures in dynamic systems and for the causality between failure effects, 
taking into consideration time delays, system reconfiguration and sensor failures. TP¬ 
PGs may be seen as a more fine-grained model w.r.t. DPTs, and can be used to support 
important run-time activities such as diagnosis and prognosis [35,36,20]. 

The nodes of a TPPG represent either failures or discrepancies (representing anoma¬ 
lous behaviors). Edges represent propagation links; they are labeled with timing infor¬ 
mation (bounding the minimum and maximum propagation time) and modes (informa¬ 
tion on system modes enabling the propagation, e.g., operational modes of a spacecraft). 
Discrepancies may be given either AND or OR semantics - in the former case all in¬ 
coming edges must be active in order for the failure to propagate, in the latter case 
any of them suffices. Pig. 3 shows a sample TPPG for the battery sensor model. Nodes 
without incoming edges (shown with dotted lines) are failures, whereas the remaining 
nodes are discrepancies (AND discrepancies are drawn as boxes, and OR discrepancies 
as circles). Edges are labeled with propagation bounds (in square brackets) and system 
modes (in curly brackets). 

xSAP supports modeling and validation of TPPGs [37]. In particular, behavioral 
validation has the purpose to check whether a TPPG is a complete abstraction of a given 
system model (i.e., it contains at least as many behaviors as the system it represents). 
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Fig. 3. An example TFPG. 


Finally, xSAP supports automatic synthesis of a TFPG from a model, given a set of 
failures and discrepancies (currently, only the structure of the graph is synthesized). 
The integration of the TFPG validation features described in [38] is under way. 


3 Architecture and Implementation 


The architecture of xSAP is built around the NUXmv symbolic model checker [39], 
from which it inherits all the functionalities. NUXmv is an extension of NuSMV, and 
supports the verification of finite- and infinite-state systems, by means of advanced 
SAT- and SMT-based model checking techniques. NUXmv provides to xS AP the basic 
infrastructure, e.g., the symbol table, the flattening of the design, the Boolean encoding 
of scalar variables, the representation of state machines and temporal formulae, and the 
basic model checking algorithms. 

On top of this, xSAP features the following blocks. Model Extension includes the 
library of fault modes, a parser for the fault extension instruction language, and the 
model extension. Minimal cut sets computation is realized by way of routines for pa¬ 
rameterized model checking, using the model checking primitives of NUXmv as build¬ 
ing blocks. Fault Trees can be generated/stored/retrieved either in XML or in a standard 
textual (tab-separated) format supported by commercial tools, such as FaultTree-t [40]. 
The management of FMEA tables is isolated in a separate module. Support for Time 
Failure Propagation Graphs is based on XML and textual formats. The textual for¬ 
mat has been conceived to enable editing in a human-readable form - xSAP provides 
conversion from textual to XML and vice versa. Syntax Directed Editors (SDEs) are 
available for editing models, fault extension instructions, and TFPGs. Finally, the Vi¬ 
sualization module contains graphical viewers that can be used to display the safety 
analysis artifacts: an FT Viewer and a TFPG viewer are available for the analysis of 
FTs and TFPGs, respectively. 
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xS AP has been developed in C and in C++ for the internal modules, while Python 
is used for model extension and TFPG manipulation. The viewers are based on the 
PyGTK, Goocanvas, PyGraphviz and Matplotlib libraries. xSAP compiles and exe¬ 
cutes on the most widely used Operating Systems (OSs) and architectures, namely; 
Linux, MS Windows, and MacOS X. Porting to other OSs is also possible (although 
not tested yet). 


4 Applications 

The xSAP platform has been used in a wide range of applications, both at academic 
and at industrial level, and in several domains, including avionics and aerospace, rail¬ 
way and industrial control. xS AP is the successor of FS AP [14] and retains all its fea¬ 
tures. FS AP has been developed within the ESACS [41], ISAAC [42], and MISSA [43] 
projects. It pioneered the ideas of model extension and model-based safety assessment, 
and was applied for safety assessment of avionics system [1,2,44]. 

xSAP has been widely used in several industrial projects with the European Space 
Agency (ESA). It is the back-end of the COMPASS tool [45,5,18], developed within the 
COMPASS [9], AUTOGEE [10,19], EAME [11,20] and HASDEL [12] projects funded 
by ESA. 

Currently, xS AP is being used by Boeing [13]. The Boeing Company has evaluated 
xSAP in the context of a joint research and development project in the areas of model- 
based safety assessment, verification and validation, and contract-based design. The 
purpose of this project is to demonstrate the usefulness and suitability of model-based 
safety assessment techniques for improving the overall process in terms of robustness 
and cost-effectiveness, and for certification purposes. In this context, xSAP has been 
used to model an industrial-size case study [13,46] and thoroughly evaluated in an in¬ 
dustrial setting. 


5 Conclusions and Future Work 

In this paper we presented xSAP, a state-of-the-art platform for model-based safety 
analysis, providing a full range of functionalities, based on symbolic model checking 
techniques. We described the architecture of xSAP and its industrial applications. 

The symbolic technologies implemented in xS AP provide significant advances also 
in terms of scalability. We refer to [23] for a comparison with Altarica/OCAS (carried 
out using a license courtesy of Dassault Aviation), and to [17] for an exhaustive evalu¬ 
ation of the novel routines implemented in xSAP. 

As future work, we intend to extend xSAP in several directions. Eirst, we want to 
incorporate Contract-Based Safety Assessment (CBSA) techniques [47], enabling the 
generation of hierarchical ETs following the design structure. Moreover, we wish to 
incorporate the routines for evaluation of reliability architectures we developed in [48]. 
Einally, a significant extension will concern the definition of observability information 
in the model and the addition of related functionalities, such as diagnosability analysis 
and Eault Detection, Eault Isolation and Eault Recovery (EDIR) analysis [37]. 
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